20

I'm trying to get my head round the purpose of the isPersistent property found on the FormsAuthenticationTicket class. http://msdn.microsoft.com/en-us/library/kybcs83h.aspx

  1. Are there scenarios when setting isPersistent works?
  2. In what scenarios would I want to set isPersistent to true and false?

The property seems to be redundant since I've found the only way for me to persist my users authentication cookie across browser sessions is to set the Expires property of the cookie created following ticket creation; even if the tickets isPersistent value is set to false.

I also found that setting the tickets expiry (not the cookie) to something like 10 seconds with isPersistent set to true has little effect; the ticket expires after 10 seconds.

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
    identity.Name,
    DateTime.Now,
    DateTime.Now.AddMinutes(FormsAuthentication.Timeout.TotalMinutes),
    isPersistent,
    JsonSerializerService.ToJson(identity),
    FormsAuthentication.FormsCookiePath);

string encryptedTicket = FormsAuthentication.Encrypt(ticket);

var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

cookie.Path = FormsAuthentication.FormsCookiePath;

cookie.Expires = DateTime.Now.AddYears(1); // good for one year

I appreciate that I can change my above code to optionally set expires

if (isPersistent)
    cookie.Expires = DateTime.Now.AddYears(1); // good for one year

An example application has been created @ GitHub. https://github.com/chrismoutray/AuthSample This basically shows that even by setting the isPersistent flag to true the cross browser authorization doesn't work.

Chris Moutray
  • 18,029
  • 7
  • 45
  • 66

1 Answers1

10

In framework 1.0/1.1, setting IsPersistent to true would set an expiration of 50 years to the cookie.
In version 2.0 it was changed so the expiration of the cookie matches the form authentication timeout attribute. So you can set IsPersistent to true but the cookie will always expire after the form authentication timeout period.
Your code does the trick if you want long expiration period without modifying forms authentication timeout.

edit: I've downloaded your sample and replaced your cookie code with 

 FormsAuthentication.SetAuthCookie(model.UserName, true);

And it's working as expected: with two days configured as your form timeout, my cookie will expire in two days.

lnu
  • 1,404
  • 1
  • 9
  • 25
  • I feel like I'm missing something, the cookie will not persist unless I specifically set the cookies `Expires` field. Setting IsPersistent has no effect. – Chris Moutray Apr 27 '12 at 12:13
  • If you set IsPersistent to true the generated cookie will have an expiration date of now+forms timeout. It's not your case? – lnu Apr 27 '12 at 12:28
  • Well no - if I remove the line `cookie.Expires = DateTime.Now.AddYears(1);` my remember-me feature of the login doesn't work even though isPersistent is set to true. – Chris Moutray Apr 27 '12 at 14:24
  • Setting a break point to the line after the creation of the cookie; `cookie.Expires` has a value of `01/01/0001 00:00:00`, and doesn't match the tickets expiry value. – Chris Moutray Apr 27 '12 at 14:26
  • I've seen the same question many times asking why setting isPersistent for the auth ticket doesn't work; usually followed by the standard answer of setting the cookies expiry date, as my code example shows. – Chris Moutray Apr 27 '12 at 14:29
  • I'm pretty sure that having to set the cookies expiry for the auth ticket to persist is not to do with my development environment. I have a deployed application running under IIS, where the logins remember me option doesn't work. The code has been written such that the isPersistent flag is set but setting of the cookies expire was left out. – Chris Moutray Apr 27 '12 at 14:39
  • I've create a sample site and set the forms timeout to 4320. When I do FormsAuthentication.GetAuthCookie, the cookie expiration date is in 3 days. If I do SetAuthCookie, my cookie also expires in 3 days. It seems to work. – lnu Apr 27 '12 at 15:09
  • Could you provide a code sample of creating the auth ticket and setting the cockie if different to the example in the question? Thanks – Chris Moutray Apr 27 '12 at 18:27
  • I have a sample application to show the problem, it would be really helpful if you could make the remember-me feature of the login work without setting `cookie.Expires` https://github.com/mouters/AuthSample – Chris Moutray Apr 28 '12 at 06:21